There have been multiple articles describing a “botnet” of 1000’s of compromised smartphones, which all make calls to a 911 Public Safety Answering Point (PSAP) or some other target. A smartphone-based attack is the primary way to generate a TDoS attack against a PSAP. Using the classic Asterisk/SIP trunk/call generator type of attack, is unlikely to affect 911, since there is no guarantee that calls will be routed to the desired PSAP. An attack leveraging many smartphones in a local area is the most likely way to affect PSAP.
There is normally significantly more trunking available than there are PSAP attendants. This is logical and common in contact centers, as it allows callers to have their calls “answered” and put into a queue waiting for attendants. For a TDoS attack against 911 to have effect, it needs to “clog” or saturate these trunks. If the attacker can overwhelm the entire trunking capacity, then some legitimate callers won’t have their calls answered. Even if the attack does not overwhelm all trunking, it will still have an impact on attendants, because they will waste a small amount of time answering the TDoS calls. There are also multiple “trunk groups”, which are collections of physical channels into the PSAP. If an attack can overwhelm one of these trunk groups, the attack may not overwhelm the entire capacity of the PSAP, but it will affect legitimate calls coming from that trunk group. The biggest trunk group is normally mobile.
A large metro area PSAP will have multiple end offices switches, which provide landline access to various geographic areas. Each of these end offices has some amount of dedicated trunking for 911, which may be around 10 trunks. If an attack originates through one of these end offices, the most calls that will reach the PSAP is say 10 simultaneous calls. The attacker can’t overwhelm the PSAP unless they saturate the trunking from all or many of these end offices. However, there is a significant amount of trunking from the mobile network, since generally, the majority of calls to a PSAP, as much as 75%, are mobile. Therefore, this is where the overall PSAP capacity can be saturated. This is also where attacks from a smartphone-based botnet would arrive.
Furthermore, we also saw a recent actual attack, where a young hacker posted a link on Twitter, to a website with malicious code. There were over 10,000 followers of the Twitter account and of course, the link was obscured though bit.ly. When the link was clicked, the malicious code used the click-to-dial feature on iOS smartphones, in code that looped 1,000,000 times and continually made calls to 911. Most of the people who clicked on the link were in the Phoenix area. What is interesting about this attack is how simple the malicious code was. It wasn’t a sophisticated bit of malware, which leveraged some obscure feature of the smartphone – it simply used the click-to-dial feature in a loop. It wasn't a botnet. Pretty much anyone could create this malware.
So in summary, we have a situation where the most vulnerable part of a PSAP is the mobile trunking, the easiest way to generate a TDoS attack on a PSAP is through compromised smartphones, the code needed to generate calls on smartphones is trivial, and we have had an “accidental” attack in the wild. Unfortunately, we expect to see more deliberate attacks in the future.
I don't know how widely "The Cyber Shield" is distributed. I believe we get it because some of our folks have security clearances (so if true, lots of people get it). Anyway, there is some info about our recent article in Government Computer News (GCN). I copied the info and provided a link to the bulletin below:
DHS working to protect emergency call centers against denial-of-service attacks
GCN, 24 Oct 2016: The distributed denial of service attack on managed DNS provider Dyn that made portions of the internet unreachable on Oct. 21 is just the latest example of the disruption caused by a system that finds itself overwhelmed with requests. Experts are still dialing for dollars when it comes to ideas for how to mitigate the risk, or even the impact, of a potential telephony denial-of-service attack on the 911 emergency services system. Read more. Is an attack on emergency services just one call away? A recent study revealed how easy it would be for bad actors to overload and disable infrastructure for the 911 emergency services in the United States. Read more. Similar to DDoS attacks, telephony denial-of-service attacks – where bad actors flood the system with illegitimate calls to knock out access to emergency services or other critical communication -- are reportedly on the rise. Tech-savvy criminals, hacktivists and even malicious nation-states see the phone system as a critical way to strong-arm federal or local authorities to pay them ransom, pay attention to their cause or just wreak havoc. With more government services facing potential cyber threats by telephone as well as online, the Department of Homeland Security has a cluster of efforts underway to lower the risk and the impact of potential telephone system-based attacks. Such attacks can swamp a 911 call center, causing a potentially life-threatening risk. In a TDoS attack an overwhelming number of calls are sent to the 911 system, and “the high number of bogus calls effectively ties up system resources so that actual 911 calls may not get through,” DHS Science and Technology Directorate Program Manager Daniel Massey said. “As attacks become larger and more sophisticated, it is very important that systems for defense also improve to meet this threat,” he added. “Our project can play a significant role in helping defend against future attacks.” In fact, DHS has a number of efforts underway to try and stem the tide of TDoS attacks, according to Mark D. Collier, CTO of SecureLogix Corp., a San Antonio, Texas-based telephony technology vendor working with DHS. Their core project together seeks ways to detect spoofing -- or differentiating fake calls from legitimate ones -- and aims to apply this to potential TDoS attacks, Colliers said. In another project, in conjunction with the University of Houston, SecureLogix and DHS are investigating how the move to Next Generation 911 might impact TDoS attacks, particularly in relation to emergency services. “When you’re dealing with 911, this could be a real emergency situation,” Collier said. “We want to make sure that we are never dropping the right call.” Collier said the pilots his company is working on include at least two city 911 call centers and a major dispatch line for police and fire fighters. Larry Shi, principal investigator for the University of Houston, said that different government agencies including the FBI and
DHS have noticed the “growing number of TDoS attacks against both commercial call centers and emergency communication systems. Without proprietary protection, these attacks against 911 call centers can easily make the service unavailable which may cause serious consequences, like loss of lives.” The results of the pilot deployments should help demonstrate the effectiveness of the solution identify issues that may still need to be resolved and show how the results can be widely applicable to 911 systems around the country, as well as other critical systems that are vulnerable to telephony attacks. To read more click HERE
See the article below about a young hacker who "accidentally" or so he says, generated a Telephony Denial of Service (TDoS) attack against 911 facilities in the Phoenix area. The hacker had a twitter account with some 12,000 followers and included a link, which installed malware on their iOS devices, which called 911 over and over again. The hacker claims that he posted the wrong link, only intending to cause popops to be displayed on the device.
I have posted some recent articles describing how a botnet of infected smartphones could be used to generate a TDoS attack against 911. For convenience, I posted a few of these articles below. What makes this type of attack significant is that it is one of the few ways that you can really flood a 911 network. I will describe why in a later post.
This recent article is the first case that I am aware of where an attack such as this has been used in the wild. I don't know how many devices were generated or how many calls were made, but the attack clearly had an impact.